The Information Security Policy is formulated by the Information Security Committee in accordance with the requirements of ISO 27001 and the guidelines for listed and OTC (Over-The-Counter) information systems. The content includes guidelines for the use of information equipment, password usage, company email usage, internet usage, information processing, software usage and licensing, deployment principles for antivirus and data leak prevention software, remote access guidelines, and information security incident management guidelines. The organization adopts the PDCA (Plan-Do-Check-Act) cycle management to ensure the goals are achieved and improved upon on an ongoing basis.

Information security policy Management Objectives:

1. Conduct information security education and training to promote awareness among employees and enhance their understanding of related responsibilities.
2. Safeguard the information related to the company's business activities, preventing unauthorized access and modifications to ensure its correctness and completeness.
3. Regularly perform audits and technical reviews to ensure the proper implementation of relevant operations.
4. Ensure that the critical core systems of the company maintain a certain level of system availability.

Information Security Infrastructure and Management Practices

1. Cybersecurity Intelligence
The company is a member of the Taiwan Computer Emergency Response Team (TWCERT) and the Science Park Information Sharing and Analysis Center (SP-ISAC). It regularly receives cybersecurity intelligence and participates in relevant cybersecurity seminars. By receiving Indicators of Compromise (IOC) early in the intrusion detection process, the company can proactively add relay station IP addresses to the firewall, implementing protective measures in advance to reduce the likelihood of attacks.

2. Computer Virus Protection:
Endpoint protection software is installed, automatically updating virus definitions, and conducting regular full hard drive scans. This ensures the blocking of the latest known viruses and detects and prevents the installation behavior of potentially threatening system executables.

3. Network Security Management:
• Firewall networks are established to block unauthorized intrusion attempts. Information operations tools monitor network service conditions, and any suspicious behavior is immediately redirected to an isolated network segment, denying access to the company's network services.
• An internet proxy server is set up to filter content and block high-risk websites, protecting the privacy and security of employees' internet access. To some extent, this helps prevent network attacks.

4. System Access Control:
Access control management practices allow only authorized personnel to access systems. System permissions are granted only after approval from the relevant authority, and periodic reviews ensure the reasonableness of permissions, protecting the digital information space.

5. Business Continuity Operations:
Combining preventive and restorative control measures, the company mitigates the impact of information business disasters or failures to an acceptable level based on the importance and impact of business processes, in line with information operations management goals.

6. Regular Social Engineering Drills and Training:
Regularly conducting social engineering awareness tests, supported by statistical systems reporting from the backend. This evaluates user awareness of email social engineering and their knowledge of cybersecurity policies. Security awareness campaigns and information security education and training are organized to ensure that personnel are aware of correct operational procedures and overall protection concepts, promoting employee awareness of information security and enhancing their understanding of related responsibilities.

Information Security Incident Reporting and Response Procedure

The company has an information reporting mechanism platform where employees can report encountered information security incidents online. Upon receiving a report, the Operations Management Center will categorize and prioritize the incident for handling. In 2024, there were 0 information security incidents reported by employees.